California Law and Alternatives to "Privacy Policy"
A couple of weeks ago, on the FPF facebook page, we posted our thoughts about a comment Alexander Macgillivray, Twitter’s general counsel, made about the decision to name Twitter’s “privacy policy” as such and not as “public policy,” based upon the requirements of California law.
We finally had a chance to take a closer look at California’s online privacy law, comprised of CA BPC § 22575 and related statutes. In actuality, there is no explicit requirement in the law to label a privacy policy as a “privacy policy.” Instead, the statute only requires that the policy, or the hyperlink to the policy, be conspicuous; the statute then sets out numerous ways in which the policy text can meet that requirement. Oddly, the only time the word “privacy” is required is if the hyperlink to the privacy policy is an icon instead of text.
Have some users been trained to look for the privacy link at the bottom of a Web page? Perhaps, but we encourage an approach that seeks to be more engaging and meaningful. Like the Buzz.com method mentioned in the quoted post below, users should be able to clearly see that use or sharing of their information is a feature of the service. More transparency, user control, and increased trust will result from calling privacy policies what exactly what they are: policies about how information will be used and shared.
Our original Facebook post on the subject is below:
From the NY Times today: Alexander Macgillivray, Twitter’s general counsel, said, “From the beginning, Twitter has been a public and open service.” Twitter’s privacy policy states: “Our services are primarily designed to help you share information with the world. Most of the information you provide to us is information you are asking us to make public.” Mr. Macgillivray added, “That’s why, when we were revising our privacy policy, we toyed with the idea of calling it our ‘public policy.’ ” He said the company would have done so but California law required that it have a “privacy policy” labeled as such.
Although Twitter’s model of public sharing is different than many companies, Macgillivray touches on a key point. Should companies that use and share or make visible user data be promising users “privacy”? Or, should they be more straightforward and transparent in communicating to users in terms more relevant to reality? We use your information to tailor the ads you see and hope to sell you stuff. That’s how we make the money to pay for this site. Please tell us more so we can get it right, or lets us know that you prefer the generic experience here. Instead of privacy staff promising users privacy, let’s have the product folks explaining how they use the data for users. Consider the research by Prof Joseph Turow indicating that 75% per cent of users think a “privacy policy” means data will not be shared , when the reality is that at many companies it is used or shared.
As an example, we noted a few days ago the “how your information is shared on buzz.com policy that AT&T has used on www.buzz.com. On the same note, our intention in developing the “power i” icon that the IAB/DMA et al will use for behavioral advertising was not to create a privacy symbol, but rather a data-use symbol.
Maybe California should tweak its law to allow the use of a privacy link or “other express statement indicating that data is being used or shared”? Does it actually require the word ‘privacy’ as Twitter’s general counsel suggests? Shall we move from privacy policies to information use policies? Of course, more than semantics will be needed to advance the cause of responsible practices. But shifting the internal company mindset from a “privacy policy” notice as a way to make required disclosures and moving towards explaining data use as a feature or as a visible part of the primary purpose of the site or service could be a way forward.